Sapphire: using network gateways for IoT security

The increasing popularity of IoT devices in both residences and enterprises has widened the attack surface for network connected devices. Many popular IoT devices have unpatched vulnerabilities or default passwords and lack basic security mechanisms, making them easy prey for malware and botnets. In this paper, we share our experience of designing and using an experimental deployment of network gateways to provide IoT security, to both the IoT devices and the gateways themselves. We propose three approaches for framework design and collecting the network data, each providing different levels of visibility into IoT device behavior. Finally we present our methodology and experimental evaluation of a small-scale deployment of gateways and IoT devices for volumetric anomaly detection and IoT device identification using the data collected by the gateways behind the NAT, or in the cloud, outside the NAT. We believe that securing IoT devices can be more efficient and effective when there is more visibility into device activity and security capabilities are deployed close to the devices, in the gateway. However, a hybrid approach in which data is collected on the gateways and analyzed in the cloud can be more practical; special considerations regarding sensitive data storage and privacy guarantees have to be taken into account.